Add support for validating gradle installation

[leonard84]

As gradle does not include the distributionSha256Sum by default in the gradle-wrapper.properties (gradle/gradle#12412) it would be great if gm could offer support for validating/injecting this as well. Especially if users are using a mirror url.

The version and type could be inferred from the url if it is just a transparent mirror.

The checksums can be retrieved here https://gradle.org/release-checksums/ or from https://services.gradle.org/versions/all

This is related to #39 which validates the committed gradle-wrapper.jar and shell scripts.

[aalmiray]

This implies:

• parsing gradle-wrapper.properties to find out the target distribution.
• parsing https://services.gradle.org/versions/all to locate the checksum.
• validate checksum.
• modify gradle-wrapper.properties if successful.

It also implies gm is trusted to download and apply the checksum. Typically the matching checksum is retrieved separately from the tool to avoid conflicts. I suppose the gm binary could be signed and somehow validate itself against a well known signature server. If it passes then it can proceed to download an update the checksum.

That or blindly trust gm to not inject a faulty checksum.

[leonard84]

A main usecase for me would be: I downloaded and validated gm manually, check out some third-party repository that uses gradle and be safe in regards to the infrastructure code. Of course this doesn't say anything about the actual code in the repository itself, but it is better than the status quo.